Processes must be able to read, write, and execute objects within their sandboxes.
Catch,
I understand where you are going with this but I need for you to clarify something. There is no permission called just "traverse directory" It is "traverse directory/execute file."

It's not a permission that I use a lot because in my environment I don't have terminal servers, or machines where clients have active logins and their own directories. But from the MS help it would appear that this setting stops directory traversal and executing files. So are you setting this permission on the applications or on the directories? Am I mistaken that if you put it on a directory you would not be able to run anything in that directory, or move out of that directory? How does this still allow a user to execute code?

if you set this on the root of each client application-
and disable directory traversal would be enabled on the root of each application’s paths.
For which users?

How do you run the applications? Your explanation does not really explain the actual configuration and how the client_app accounts ties into the what the user is doing. For whom do you disable the right to traverse directories and execute files? Do you disable it for all users? That is what I think is missing from your explanation.

Wouldn't you need to setup the application to always run as the client_app account? If you only deny the directory traversal/execute file permissions for the client_app account, and the user program is started in the context of the user, doesn't it still have that permission?

I did some searching and I can't find any resources that detail this configuration method. The best I can come up with is this MS research article that talks about using restricted SIDs to prevent malware from being a problem. It doesn't detail how to actually do it though. Most notably is this reference from page 32- "Restricted contexts can
implement simple security policies, such as disabling administrative rights and privileges
for most programs, as well as more restrictive policies such as limiting a program to
accessing only a single file."

http://www.cs.washington.edu/homes/m...ers/tissec.pdf

This definitely does what you are talking about, but it would appear in a much different fashion. Or is the secondary user account how you configure the restricted SID? Meaning is the restricted SID the client_app account?